Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Mastering Intune App Protection Policies (MAM)

Learn how to secure corporate data on personal devices using Intune App Protection Policies (MAM-WE) without requiring full device enrollment.

By Ali Alame
intunemamsecuritymobilebyod

In the modern workplace, employees increasingly want to use their personal devices to access corporate data. This trend, known as Bring Your Own Device (BYOD), presents a challenge for IT admins: how to secure corporate data without taking full control of a personal device.

Microsoft Intune's App Protection Policies (APP), often referred to as Mobile Application Management (MAM), provide the perfect solution.

What is MAM-WE?

MAM-WE stands for Mobile Application Management Without Enrollment. It allows you to manage the apps that access corporate data without managing the device itself.

Key Benefits

  • User Privacy: IT admins cannot see personal apps, photos, or browsing history.
  • Data Security: Corporate data is encrypted and separated from personal data.
  • Adoption: Users are more likely to adopt BYOD if they don't have to enroll their device in MDM.

How App Protection Policies Work

App Protection Policies apply to "managed apps" (like Outlook, Teams, OneDrive). When a user signs into these apps with their corporate account, Intune applies policies that control how data is moved and accessed.

Common Policy Controls

  1. Data Protection:

    • Prevent Save As: Block users from saving corporate files to local storage or personal cloud services.
    • Restrict Cut/Copy/Paste: Only allow pasting between managed apps.
    • Encrypt Data: Ensure org data is encrypted within the app.

  2. Access Requirements:

    • PIN Requirement: Force a PIN to open the app (separate from device PIN).
    • Biometrics: Allow FaceID/TouchID for quick access.
    • Timeout: Require re-authentication after a period of inactivity.

  3. Conditional Launch:

    • Jailbreak/Root Detection: Block access on compromised devices.
    • Min OS Version: Require a minimum Android or iOS version.
    • Device Threat Level: Integrate with Mobile Threat Defense (MTD) solutions.

Creating an App Protection Policy

Here is a step-by-step guide to creating a robust policy for iOS/iPadOS (the process is similar for Android).

  1. Navigate: Go to Intune Admin Center > Apps > App protection policies.
  2. Create: Click Create policy > iOS/iPadOS.
  3. Basics: Name your policy (e.g., "iOS - BYOD - Standard Protection").
  4. Apps: Select Target to apps on all device types > Yes. Select Public apps and choose Microsoft 365 apps (Outlook, Teams, Word, Excel, OneDrive, Edge).
  5. Data Protection:
    • Block backing up org data to iTunes/iCloud.
    • Block "Save copies of org data" (allow only OneDrive for Business and SharePoint).
    • Restrict "Cut, copy, and paste" to Policy managed apps with paste in.
  6. Access Requirements:
    • Require PIN for access: Yes.
    • PIN type: Numeric.
    • Simple PIN: Block.
  7. Conditional Launch:
    • Max PIN attempts: 5 (Reset PIN action).
    • Offline grace period: 720 minutes (Block access).
    • Jailbroken/Rooted devices: Block.
  8. Assignments: Assign to a user group (e.g., "BYOD Users").

Monitoring and Reporting

Once deployed, you can monitor the status of your policies:

  • App Protection Status Report: Shows which users and apps have the policy applied.
  • Discovered Apps: See which apps are being used in your environment.

Conclusion

Intune App Protection Policies are a critical component of a Zero Trust security strategy. They allow you to enable productivity on any device while ensuring that corporate data remains secure and under your control. By implementing MAM-WE, you strike the perfect balance between security and user experience.